Nick/Dan, (must have a split personality or you have worked with to many
bi-polar PHD security consultants or former "Cyber Investigators)
My comments on earlier posts could have contained a bit of complex gobbly-gook,
it all depends on how the IPS is configured on a particular network environment
and how effective a particular set of intrusion detection signatures/protocol
decodes under certain network conditions.
If utilizing a Local Management Interface or Centralized Management Console,
based on the default security policies or custom security policies a designated
security administrator utilizes (i.e monitor for known attacks, anomalies,
DDos, or specialized applications (Web, E-Commerce).
Within each set of security policies will include a set number of
signatures/protocol decodes that might have been quickly tested for
effectiveness in a particular environment with x number of packets per second,
etc, and also depending if the IPS is capable of being configured in either tap
mode, inline mode or just monitor mode only. Within each given configuration,
a IPS speed of analysis will be greatly affected or may not depending on the
vendor's implementation/architecture using commodity based hardware or
specialized hardware. Regardless of how fast a particular IPS is really
shouldn't be the issue, but how effective a particular IPS is against a defined
set of attacks and whether the local management interface or centralized
management console receives the information in a timely fashion. Those
statistics should then be used as a variable in calculating IDS Signature
Confidence within a given enterprise or business environment.
Mileage may vary from network to network due to percentage of real network
traffic that a particular IPS is placed against.
THolman@toplayer.com rigorously showed:
If a DoS attack is made up of valid traffic, then a NIDS signature
isn't going to pick it up.
You need to establish whether or not incoming traffic from individual
IPs meets acceptable transaction rates, and this is really a job for a
rate-based IPS.
This seems a stunningly narrow view of a "signature"; I'm surprised to see the
source (I generally find myself nodding and smiling as I read your posts!)
Snort's "rate" and "burst" keywords provide a (simplistic) rate limiting as an
obvious example. By making available more information from one's connection
tracking, etc to the signature language, "signatures" can be used quite
effectively to detect DoS patterns of the type you describe.
Essentially, if a "signature" can both a) access all state available to the
I[DP]S, and b) be expressed to the signature engine using a language strong
enough to describe arbitrary [0] operations on this state, it's as powerful as
any other code the system could employ (All hail the Church-Turing thesis!) If
an IPS provides signature writers just as much flexibility as it does core
designers to perform detection, is that a rate-based IPS or a sig-based IPS?
I'm appalled that these terms are still bantered about when languages could be
getting fixed instead.
Mark Teicher made a similar point earlier in the thread, but that post suffered
from being far too readable and containing a paucity of complexity theory
gobbledygook :).
[0] for values of "arbitrary" bounded by "recursively enumerable", of course,
but we're among friends.
--
nick black "np: the class of dashed hopes and idle dreams."
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
